Suricata IDS am Switch Ubuntu: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
(Die Seite wurde neu angelegt: „=Idee= ;Managment Schnittstelle enp0s3 ;SniffingSchnittstelle enp0s8 =Netzwerk= *sudo vim /etc/netplan/50-cloud-init.yaml <pre> network: version: 2 etherne…“) |
|||
| Zeile 239: | Zeile 239: | ||
=Starten= | =Starten= | ||
*systemctl enable suricata --now | *systemctl enable suricata --now | ||
| + | |||
| + | =wazuh= | ||
| + | *vim /var/ossec/etc/ossec.conf | ||
| + | <pre> | ||
| + | <ossec_config> | ||
| + | <localfile> | ||
| + | <log_format>json</log_format> | ||
| + | <location>/var/log/suricata/eve.json</location> | ||
| + | </localfile> | ||
| + | </ossec_config> | ||
| + | </pre> | ||
| + | *systemctl restart wazuh-agent | ||
Aktuelle Version vom 27. Februar 2026, 07:58 Uhr
Idee
- Managment Schnittstelle
enp0s3
- SniffingSchnittstelle
enp0s8
Netzwerk
- sudo vim /etc/netplan/50-cloud-init.yaml
network:
version: 2
ethernets:
enp0s3:
addresses:
- "172.26.54.25/24"
nameservers:
addresses:
- 1.1.1.1
search:
- sec-labs.de
routes:
- to: "default"
via: "172.26.54.1"
enp0s8:
optional: true
addresses: []
dhcp4: false
dhcp6: false
Promiscuous Mode
cat <<'EOF' | sudo tee /etc/systemd/system/suricata-nic.service [Unit] Description=Configure enp0s8 for Suricata sniffing After=network-online.target Wants=network-online.target [Service] Type=oneshot ExecStart=/sbin/ip link set enp0s8 promisc on ExecStart=/sbin/ethtool -K enp0s8 gro off lro off tso off gso off RemainAfterExit=yes [Install] WantedBy=multi-user.target EOF
- sudo systemctl daemon-reload
- sudo systemctl enable --now suricata-nic.service
prüfen
- ethtool -k enp0s8 | grep -E "generic-receive|tcp-segmentation|generic-segmentation"
- ip link show enp0s8 | grep -i promisc
Suricata Konfiguration
- cat /etc/suricata/suricata.yaml
*cat /etc/resolv.conf
search sec-labs.de
nameserver 1.1.1.1
*cat /etc/hostname
ids.sec-labs.de
%YAML 1.1
---
# Variablen für die Adressgruppen festlegen
vars:
address-groups:
LAN: "[172.26.53.0/24]"
DMZ: "[10.0.10.0/24]"
SERVER: "[172.26.54.0/24]"
INT: "[$LAN,$DMZ,$SERVER]"
HOME_NET: "$INT"
EXTERNAL_NET: "!$INT"
# Standard-Log-Verzeichnis
default-log-dir: /var/log/suricata/
# Statistiken aktivieren
stats:
enabled: yes
interval: 8
# Ausgaben konfigurieren
outputs:
- fast:
enabled: yes
filename: fast.log
append: yes
- alert-debug:
enabled: yes
filename: alert-debug.log
append: yes
- stats:
enabled: yes
filename: stats.log
append: yes
totals: yes
threads: no
- eve-log:
enabled: yes
filename: eve.json
types:
- alert
- dns
- http
- tls
- flow
- ssh
- stats
# Logging-Einstellungen
logging:
default-log-level: notice
outputs:
- console:
enabled: yes
- file:
enabled: yes
level: info
filename: suricata.log
# Netzwerkschnittstellen konfigurieren
af-packet:
- interface: enp0s8
threads: auto
cluster-id: 98
cluster-type: cluster_flow
defrag: yes
# PID-Datei
pid-file: /var/run/suricata.pid
# Coredump-Einstellungen
coredump:
max-dump: unlimited
# Host-Modus
host-mode: auto
# Unix-Befehlseingabe konfigurieren
unix-command:
enabled: yes
filename: /var/run/suricata-command.socket
# Engine-Analyse-Einstellungen
engine-analysis:
rules-fast-pattern: yes
rules: yes
# Defragmentierungseinstellungen
defrag:
memcap: 32mb
hash-size: 65536
trackers: 65535
max-frags: 65535
prealloc: yes
timeout: 60
# Standardregelverzeichnis
default-rule-path: /etc/suricata/rules
# Regel-Dateien
rule-files:
- local.rules
# Klassifikationsdatei
classification-file: /etc/suricata/classification.config
# Referenzkonfigurationsdatei
reference-config-file: /etc/suricata/reference.config
Eigene Regeln
- cat /etc/suricata/rules/local.rules
# ICMP: einfacher Ping/Traceroute (schneller Funktionstest) # Test: ping -c1 <ZIEL> alert icmp any any -> any any (msg:"ICMP Test"; classtype:misc-activity; sid:41;) # HTTP: mögliches Command-Injection-Merkmal (Semikolon) in POST-Body # Test: curl -X POST http://<ZIEL>/ -d "q=test%3Bls" alert http any any -> any any (msg:"Command Injection - Semicolon in POST DATA"; classtype:web-application-attack; flow:established; content:"%3B"; nocase; http_client_body; sid:2;) # HTTP: mögliches SQLi-Merkmal (einfaches Hochkomma) in POST-Body # Test: curl -X POST http://<ZIEL>/login -d "u=a&p='%20OR%201=1" alert http any any -> any any (msg:"Possible SQL Injection (singlequote in POST)"; classtype:web-application-attack; flow:established,to_server; content:"%27"; nocase; http_client_body; sid:3;) # DNS: Policy – verbietet "google" in DNS-Queries # Test: dig google.com @<FW> alert dns any any -> any any (msg:"Kein Googlen"; dns.query; content:"google"; nocase; classtype:policy-violation; sid:43;) # DoS: viele identische kurze HTTP-GETs (LOIC-ähnlich) # Test: ab -n 1000 -c 500 http://<ZIEL>/ alert tcp any any -> any any (msg:"ET DOS Terse HTTP GET Likely LOIC"; flow:to_server,established; dsize:18; content:"GET / HTTP/1.1|0d 0a 0d 0a|"; depth:18; threshold:type both,track by_dst,count 500,seconds 60; classtype:own-dos; sid:54; rev:2; metadata:created_at 2014_10_03, confidence Medium, signature_severity Major, updated_at 2019_07_26;) # Scan: TCP SYN-Sweep (viele SYN in kurzer Zeit) # Test: nmap -sS -p1-100 <ZIEL> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OWN SCAN TCP SYN sweep"; flow:stateless,to_server; flags:S; detection_filter:track by_src,count 20,seconds 5; classtype:attempted-recon; sid:60; rev:1;) # Scan: TCP NULL-Scan (keine Flags gesetzt) # Test: nmap -sN -p1-100 <ZIEL> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OWN SCAN TCP NULL scan"; flow:stateless,to_server; flags:0; detection_filter:track by_src,count 5,seconds 10; classtype:attempted-recon; sid:61; rev:1;) # Scan: TCP FIN-Scan (nur FIN) # Test: nmap -sF -p1-100 <ZIEL> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OWN SCAN TCP FIN scan"; flow:stateless,to_server; flags:F; detection_filter:track by_src,count 5,seconds 10; classtype:attempted-recon; sid:62; rev:1;) # Scan: TCP XMAS-Scan (FIN+PSH+URG) # Test: nmap -sX -p1-100 <ZIEL> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OWN SCAN TCP XMAS scan"; flow:stateless,to_server; flags:FPU; detection_filter:track by_src,count 5,seconds 10; classtype:attempted-recon; sid:63; rev:1;) # Scan: UDP-Sweep mit leerer Payload # Test: nmap -sU --min-rate=1000 <ZIEL> alert udp $EXTERNAL_NET any -> $HOME_NET 1:65535 (msg:"OWN SCAN UDP sweep (empty probes)"; flow:to_server; dsize:0; detection_filter:track by_src,count 15,seconds 10; classtype:attempted-recon; sid:64; rev:1;) # Scan: ICMP Ping-Sweep (viele Echo-Requests) # Test: nmap -sn <NETZ>/24 alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"OWN SCAN ICMP ping sweep"; itype:8; detection_filter:track by_src,count 10,seconds 5; classtype:attempted-recon; sid:65; rev:1;) # --- ICMP Flood / Ping Flood (klassischer DDos) --- alert icmp any any -> $HOME_NET any (msg:"ICMP Flood Potential Detected"; threshold: type both, track by_dst, count 100, seconds 10; sid:1000001; rev:1;) # --- UDP Flood --- alert udp any any -> $HOME_NET any (msg:"UDP Flood Potential Detected"; threshold: type both, track by_dst, count 200, seconds 5; sid:1000002; rev:1;) # --- TCP SYN Flood (Sehr häufiger DDos-Typ) --- alert tcp any any -> $HOME_NET any (flags:S; msg:"TCP SYN Flood Potential Detected"; threshold: type both, track by_dst, count 150, seconds 10; sid:1000003; rev:1;) # --- HTTP Flood (Layer 7 Attacke) --- alert http any any -> $HOME_NET any (msg:"HTTP Flood Potential Detected"; threshold: type both, track by_dst, count 300, seconds 10; sid:1000004; rev:1;) # --- DNS Amplification / große DNS Antworten --- alert udp any 53 -> $HOME_NET any (msg:"Possible DNS Amplification Attack"; dnsize: > 512; threshold: type both, track by_src, count 50, seconds 5; sid:1000005; rev:1;) # --- (Optional) Einfacher "Hello World" Treffer für Tests --- alert tcp any any -> $HOME_NET any (msg:"TEST - SSH Connection Attempt"; content:"SSH"; nocase; sid:1000006; rev:1;)
Starten
- systemctl enable suricata --now
wazuh
- vim /var/ossec/etc/ossec.conf
<ossec_config>
<localfile>
<log_format>json</log_format>
<location>/var/log/suricata/eve.json</location>
</localfile>
</ossec_config>
- systemctl restart wazuh-agent